What is CVE-1999-1074?

CVE-1999-1074 is a publicly disclosed cybersecurity vulnerability with a HIGH severity rating and CVSS score of 7.5.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-1999-1074

HIGH7.5/ 10.0

Published: December 31, 1999 at 05:00 AM

Modified: April 3, 2025 at 01:03 AM

Source: cve@mitre.org

Vulnerability Description

Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking.

CVSS Metrics

Base Score

7.5

Severity

HIGH

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses (CWE)

NVD-CWE-Other

Source: nvd@nist.gov

AI Security Analysis

01 // Technical Summary

Webmin versions prior to 0.5 are vulnerable to a brute-force attack, allowing attackers to bypass authentication and gain unauthorized access. This vulnerability stems from a lack of rate limiting on login attempts, enabling attackers to repeatedly guess passwords until successful, potentially leading to complete system compromise.

02 // Vulnerability Mechanism

Step 1: Target Identification: The attacker identifies a Webmin instance running on a target system.

Step 2: Username Enumeration (Optional): The attacker may attempt to enumerate valid usernames, although this is not strictly necessary as the vulnerability allows brute-forcing any username.

Step 3: Password Guessing: The attacker uses a brute-force tool to repeatedly submit password guesses for a known or guessed username. Each attempt is sent to the Webmin login page.

Step 4: Authentication Bypass: Because there is no rate limiting, the attacker can submit an unlimited number of password attempts.

Step 5: Successful Login: Eventually, the attacker guesses the correct password, gaining access to the Webmin interface with the privileges of the compromised user.

03 // Deep Technical Analysis

The vulnerability lies in Webmin's authentication mechanism. Specifically, the software does not implement any rate limiting or account lockout policies after a certain number of failed login attempts. This allows attackers to repeatedly submit password guesses for valid usernames without any restrictions. The root cause is the absence of code that tracks failed login attempts and temporarily disables or restricts access for a user account after a threshold is reached. This oversight allows attackers to exploit the system's authentication process through a brute-force attack, making it susceptible to unauthorized access.